Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Sep 2015 21:08:51 +0000 (UTC)
From:      Mathieu Arnold <mat@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r395909 - in branches/2015Q3/dns: bind910 bind910/files bind99 bind99/files
Message-ID:  <201509022108.t82L8pZc029300@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: mat
Date: Wed Sep  2 21:08:51 2015
New Revision: 395909
URL: https://svnweb.freebsd.org/changeset/ports/395909

Log:
  MFH: r393161 r395660 r395703 r395908
  
  Update BIND to 9.9.7-P3 and 9.10.2-P4.
  
  Also:
  - Add an option to enable the bind min override ttl patch.
  - When not using OpenSSL from ports, do not try to unmount the chrooted
    engines directory.
  - Add an option for embedding PORTREVISION in the server's version string.
  
  Security:	CVE-2015-5722, CVE-2015-5986
  Sponsored by:	Absolight

Added:
  branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl
     - copied unchanged from r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl
  branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl
     - copied unchanged from r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl
Modified:
  branches/2015Q3/dns/bind910/Makefile
  branches/2015Q3/dns/bind910/distinfo
  branches/2015Q3/dns/bind910/files/named.in
  branches/2015Q3/dns/bind99/Makefile
  branches/2015Q3/dns/bind99/distinfo
  branches/2015Q3/dns/bind99/files/named.in
Directory Properties:
  branches/2015Q3/   (props changed)

Modified: branches/2015Q3/dns/bind910/Makefile
==============================================================================
--- branches/2015Q3/dns/bind910/Makefile	Wed Sep  2 20:46:55 2015	(r395908)
+++ branches/2015Q3/dns/bind910/Makefile	Wed Sep  2 21:08:51 2015	(r395909)
@@ -21,7 +21,7 @@ COMMENT?=	BIND DNS suite with updated DN
 LICENSE=	ISCL
 
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.10.2-P3
+ISCVERSION=	9.10.2-P4
 
 MAKE_JOBS_UNSAFE=	yes
 
@@ -58,7 +58,8 @@ OPTIONS_RADIO_GOSTDEF=	GOST GOST_ASN1
 
 .if !defined(BIND_TOOLS_SLAVE)
 OPTIONS_DEFAULT+=	RRL
-OPTIONS_DEFINE+=	LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS NEWSTATS GEOIP
+OPTIONS_DEFINE+=	LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS NEWSTATS GEOIP \
+			MINCACHE PORTREVISION
 OPTIONS_GROUP=		DLZ
 OPTIONS_GROUP_DLZ=	DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \
 			DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB
@@ -81,6 +82,8 @@ GOST_DESC=		GOST raw keys (new default)
 GOST_ASN1_DESC=		GOST using ASN.1
 PYTHON_DESC=		Build with Python utilities
 START_LATE_DESC=	Start BIND late in the boot process
+MINCACHE_DESC=		Use the mincachettl patch
+PORTREVISION_DESC=	Show PORTREVISION in the version string
 
 LINKS_DESC=		Create conf file symlinks in ${PREFIX}
 NEWSTATS_DESC=		Enable alternate xml statistics channel format
@@ -98,6 +101,7 @@ GSSAPI_BASE_DESC=	Using Heimdal in base
 GSSAPI_HEIMDAL_DESC=	Using security/heimdal
 GSSAPI_MIT_DESC=	Using security/krb5
 GSSAPI_NONE_DESC=	Disable
+MINCACHE_EXTRA_PATCHES=	${FILESDIR}/extrapatch-bind-min-override-ttl
 
 .if !defined(BIND_TOOLS_SLAVE)
 CONFLICTS+=		bind-tools-9.*
@@ -223,6 +227,10 @@ post-patch:
 		${WRKSRC}/bin/${FILE}
 .endfor
 
+post-patch-PORTREVISION-on:
+	@${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \
+		${WRKSRC}/version
+
 post-install:
 .if ${PORT_OPTIONS:MDOCS}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/arm

Modified: branches/2015Q3/dns/bind910/distinfo
==============================================================================
--- branches/2015Q3/dns/bind910/distinfo	Wed Sep  2 20:46:55 2015	(r395908)
+++ branches/2015Q3/dns/bind910/distinfo	Wed Sep  2 21:08:51 2015	(r395909)
@@ -1,2 +1,2 @@
-SHA256 (bind-9.10.2-P3.tar.gz) = 78079a66dda455ffecfe93ef72d1ffc947f17b1c453d55ec06b860b49a5e1d4a
-SIZE (bind-9.10.2-P3.tar.gz) = 8469831
+SHA256 (bind-9.10.2-P4.tar.gz) = c00b21ec1def212957f28efe9d10aac52d6ec515e84fbf2c42143f5d71429cb8
+SIZE (bind-9.10.2-P4.tar.gz) = 8471531

Copied: branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl (from r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl	Wed Sep  2 21:08:51 2015	(r395909, copy of r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl)
@@ -0,0 +1,78 @@
+diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c
+--- bin/named/config.c	2009-05-22 12:24:49.000000000 +0400
++++ bin/named/config.c	2009-05-22 12:31:35.000000000 +0400
+@@ -129,6 +129,8 @@
+ 	min-roots 2;\n\
+ 	lame-ttl 600;\n\
+ 	max-ncache-ttl 10800; /* 3 hours */\n\
++       override-cache-ttl 0; /* do not override */\n\
++       min-cache-ttl 0; /* no minimal, zero is allowed */\n\
+ 	max-cache-ttl 604800; /* 1 week */\n\
+ 	transfer-format many-answers;\n\
+ 	max-cache-size 0;\n\
+diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c
+--- bin/named/server.c	2009-05-22 12:24:49.000000000 +0400
++++ bin/named/server.c	2009-05-22 12:32:18.000000000 +0400
+@@ -1727,6 +1727,16 @@
+ 		CHECK(mustbesecure(obj, view->resolver));
+ 
+ 	obj = NULL;
++	result = ns_config_get(maps, "override-cache-ttl", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	view->overridecachettl = cfg_obj_asuint32(obj);
++
++	obj = NULL;
++	result = ns_config_get(maps, "min-cache-ttl", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	view->mincachettl = cfg_obj_asuint32(obj);
++
++	obj = NULL;
+ 	result = ns_config_get(maps, "max-cache-ttl", &obj);
+ 	INSIST(result == ISC_R_SUCCESS);
+ 	view->maxcachettl = cfg_obj_asuint32(obj);
+diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h
+--- lib/dns/include/dns/view.h	2009-05-22 12:24:49.000000000 +0400
++++ lib/dns/include/dns/view.h	2009-05-22 12:29:03.000000000 +0400
+@@ -131,6 +131,8 @@
+ 	isc_boolean_t			provideixfr;
+ 	isc_boolean_t			requestnsid;
+ 	dns_ttl_t			maxcachettl;
++	dns_ttl_t			mincachettl;
++	dns_ttl_t			overridecachettl;
+ 	dns_ttl_t			maxncachettl;
+ 	in_port_t			dstport;
+ 	dns_aclenv_t			aclenv;
+diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c
+--- lib/dns/resolver.c	2009-05-22 12:24:49.000000000 +0400
++++ lib/dns/resolver.c	2009-05-22 12:30:41.000000000 +0400
+@@ -4054,6 +4054,18 @@
+ 		}
+ 
+ 		/*
++		 * Enforce the configure cache TTL override.
++		 */
++                if (res->view->overridecachettl)
++                        rdataset->ttl = res->view->overridecachettl;
++
++		/*
++		 * Enforce the configure minimum cache TTL.
++		 */
++                if (rdataset->ttl < res->view->mincachettl)
++                        rdataset->ttl = res->view->mincachettl;
++
++		/*
+ 		 * Enforce the configure maximum cache TTL.
+ 		 */
+ 		if (rdataset->ttl > res->view->maxcachettl)
+diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c
+--- lib/isccfg/namedconf.c	2009-05-22 12:24:49.000000000 +0400
++++ lib/isccfg/namedconf.c	2009-05-22 12:31:21.000000000 +0400
+@@ -821,6 +821,8 @@
+ 	{ "lame-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
+ 	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
++	{ "override-cache-ttl", &cfg_type_uint32, 0 },
++	{ "min-cache-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-cache-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-clients-per-query", &cfg_type_uint32, 0 },
+ 	{ "max-ncache-ttl", &cfg_type_uint32, 0 },

Modified: branches/2015Q3/dns/bind910/files/named.in
==============================================================================
--- branches/2015Q3/dns/bind910/files/named.in	Wed Sep  2 20:46:55 2015	(r395908)
+++ branches/2015Q3/dns/bind910/files/named.in	Wed Sep  2 21:08:51 2015	(r395909)
@@ -232,10 +232,10 @@ named_stop()
 named_poststop()
 {
 	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
-		# unmount OpenSSL engines, if they were not mounted but only
-		# copied, do nothing.
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then
-			umount ${named_chrootdir}${_openssl_engines}
+		# if using OpenSSL from ports, unmount OpenSSL engines, if they
+		# were not mounted but only copied, do nothing.
+		if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
+		  umount ${named_chrootdir}${_openssl_engines}
 		fi
 		# unmount /dev
 		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then

Modified: branches/2015Q3/dns/bind99/Makefile
==============================================================================
--- branches/2015Q3/dns/bind99/Makefile	Wed Sep  2 20:46:55 2015	(r395908)
+++ branches/2015Q3/dns/bind99/Makefile	Wed Sep  2 21:08:51 2015	(r395909)
@@ -15,7 +15,7 @@ COMMENT=	BIND DNS suite with updated DNS
 LICENSE=	ISCL
 
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.9.7-P2
+ISCVERSION=	9.9.7-P3
 
 MAKE_JOBS_UNSAFE=	yes
 
@@ -43,8 +43,9 @@ SUB_FILES=	pkg-message
 
 OPTIONS_DEFAULT=	IPV6 SSL THREADS SIGCHASE IDN GSSAPI_NONE RRL
 OPTIONS_DEFINE=		SSL IDN REPLACE_BASE LARGE_FILE FIXED_RRSET SIGCHASE \
-			IPV6 THREADS FILTER_AAAA GOST PYTHON START_LATE \
-			LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS RPZ_PATCH NEWSTATS
+			IPV6 THREADS FILTER_AAAA GOST PYTHON START_LATE MINCACHE \
+			LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS RPZ_PATCH NEWSTATS \
+			PORTREVISION
 OPTIONS_GROUP=		DLZ
 OPTIONS_GROUP_DLZ=	DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \
 			DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB
@@ -62,6 +63,8 @@ FILTER_AAAA_DESC=	Enable filtering of AA
 GOST_DESC=		Enable GOST ciphers, needs SSL (see help on 8 and 9)
 PYTHON_DESC=		Build with Python utilities
 START_LATE_DESC=	Start BIND late in the boot process
+MINCACHE_DESC=		Use the mincachettl patch
+PORTREVISION_DESC=	Show PORTREVISION in the version string
 
 LINKS_DESC=		Create conf file symlinks in ${PREFIX}
 NEWSTATS_DESC=		Enable alternate xml statistics channel format
@@ -80,6 +83,7 @@ GSSAPI_BASE_DESC=	${GSSAPI_DESC} (Heimda
 GSSAPI_HEIMDAL_DESC=	${GSSAPI_DESC} (security/heimdal)
 GSSAPI_MIT_DESC=	${GSSAPI_DESC} (security/krb5)
 GSSAPI_NONE_DESC=	No ${GSSAPI_DESC}
+MINCACHE_EXTRA_PATCHES=	${FILESDIR}/extrapatch-bind-min-override-ttl
 
 SSL_CONFIGURE_ON=	--with-openssl=${OPENSSLBASE}
 SSL_USE=		openssl=yes
@@ -194,6 +198,10 @@ post-patch:
 		${WRKSRC}/bin/${FILE}
 .endfor
 
+post-patch-PORTREVISION-on:
+	@${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \
+		${WRKSRC}/version
+
 post-configure:
 	@${REINPLACE_CMD} -e '/^SO_LDFLAGS/s/-Wl,-rpath,/-rpath /' ${WRKSRC}/bin/tests/system/dlzexternal/Makefile
 

Modified: branches/2015Q3/dns/bind99/distinfo
==============================================================================
--- branches/2015Q3/dns/bind99/distinfo	Wed Sep  2 20:46:55 2015	(r395908)
+++ branches/2015Q3/dns/bind99/distinfo	Wed Sep  2 21:08:51 2015	(r395909)
@@ -1,4 +1,4 @@
-SHA256 (bind-9.9.7-P2.tar.gz) = f5f433567e5f68d61460d86f691471259a49b6d10d7422acbd88b7fdb038b518
-SIZE (bind-9.9.7-P2.tar.gz) = 7935877
-SHA256 (9.9.7-P2-rpz2+rl.14038.05.patch.xz) = 149f8e2888466444138e37096ea57da181b7f21e7fad232c8eedeed12ffcd99b
-SIZE (9.9.7-P2-rpz2+rl.14038.05.patch.xz) = 39124
+SHA256 (bind-9.9.7-P3.tar.gz) = cb737dce18350890f350dd7d3bc836c62ea440103dfde184c09bc18cfad8a844
+SIZE (bind-9.9.7-P3.tar.gz) = 7939885
+SHA256 (9.9.7-P3-rpz2+rl.14038.05.patch.xz) = ec3c5c5a5011d605eeff664e41d3839c3ecda476a8a2eb20784dfaa79f8b8a77
+SIZE (9.9.7-P3-rpz2+rl.14038.05.patch.xz) = 39124

Copied: branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl (from r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl	Wed Sep  2 21:08:51 2015	(r395909, copy of r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl)
@@ -0,0 +1,78 @@
+diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c
+--- bin/named/config.c	2009-05-22 12:24:49.000000000 +0400
++++ bin/named/config.c	2009-05-22 12:31:35.000000000 +0400
+@@ -129,6 +129,8 @@
+ 	min-roots 2;\n\
+ 	lame-ttl 600;\n\
+ 	max-ncache-ttl 10800; /* 3 hours */\n\
++       override-cache-ttl 0; /* do not override */\n\
++       min-cache-ttl 0; /* no minimal, zero is allowed */\n\
+ 	max-cache-ttl 604800; /* 1 week */\n\
+ 	transfer-format many-answers;\n\
+ 	max-cache-size 0;\n\
+diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c
+--- bin/named/server.c	2009-05-22 12:24:49.000000000 +0400
++++ bin/named/server.c	2009-05-22 12:32:18.000000000 +0400
+@@ -1727,6 +1727,16 @@
+ 		CHECK(mustbesecure(obj, view->resolver));
+ 
+ 	obj = NULL;
++	result = ns_config_get(maps, "override-cache-ttl", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	view->overridecachettl = cfg_obj_asuint32(obj);
++
++	obj = NULL;
++	result = ns_config_get(maps, "min-cache-ttl", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	view->mincachettl = cfg_obj_asuint32(obj);
++
++	obj = NULL;
+ 	result = ns_config_get(maps, "max-cache-ttl", &obj);
+ 	INSIST(result == ISC_R_SUCCESS);
+ 	view->maxcachettl = cfg_obj_asuint32(obj);
+diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h
+--- lib/dns/include/dns/view.h	2009-05-22 12:24:49.000000000 +0400
++++ lib/dns/include/dns/view.h	2009-05-22 12:29:03.000000000 +0400
+@@ -131,6 +131,8 @@
+ 	isc_boolean_t			provideixfr;
+ 	isc_boolean_t			requestnsid;
+ 	dns_ttl_t			maxcachettl;
++	dns_ttl_t			mincachettl;
++	dns_ttl_t			overridecachettl;
+ 	dns_ttl_t			maxncachettl;
+ 	in_port_t			dstport;
+ 	dns_aclenv_t			aclenv;
+diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c
+--- lib/dns/resolver.c	2009-05-22 12:24:49.000000000 +0400
++++ lib/dns/resolver.c	2009-05-22 12:30:41.000000000 +0400
+@@ -4054,6 +4054,18 @@
+ 		}
+ 
+ 		/*
++		 * Enforce the configure cache TTL override.
++		 */
++                if (res->view->overridecachettl)
++                        rdataset->ttl = res->view->overridecachettl;
++
++		/*
++		 * Enforce the configure minimum cache TTL.
++		 */
++                if (rdataset->ttl < res->view->mincachettl)
++                        rdataset->ttl = res->view->mincachettl;
++
++		/*
+ 		 * Enforce the configure maximum cache TTL.
+ 		 */
+ 		if (rdataset->ttl > res->view->maxcachettl)
+diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c
+--- lib/isccfg/namedconf.c	2009-05-22 12:24:49.000000000 +0400
++++ lib/isccfg/namedconf.c	2009-05-22 12:31:21.000000000 +0400
+@@ -821,6 +821,8 @@
+ 	{ "lame-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
+ 	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
++	{ "override-cache-ttl", &cfg_type_uint32, 0 },
++	{ "min-cache-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-cache-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-clients-per-query", &cfg_type_uint32, 0 },
+ 	{ "max-ncache-ttl", &cfg_type_uint32, 0 },

Modified: branches/2015Q3/dns/bind99/files/named.in
==============================================================================
--- branches/2015Q3/dns/bind99/files/named.in	Wed Sep  2 20:46:55 2015	(r395908)
+++ branches/2015Q3/dns/bind99/files/named.in	Wed Sep  2 21:08:51 2015	(r395909)
@@ -230,10 +230,10 @@ named_stop()
 named_poststop()
 {
 	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
-		# unmount OpenSSL engines, if they were not mounted but only
-		# copied, do nothing.
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then
-			umount ${named_chrootdir}${_openssl_engines}
+		# if using OpenSSL from ports, unmount OpenSSL engines, if they
+		# were not mounted but only copied, do nothing.
+		if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
+		  umount ${named_chrootdir}${_openssl_engines}
 		fi
 		# unmount /dev
 		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509022108.t82L8pZc029300>